urelas | 55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458

General

Target

55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
Size

536KB
MD5

e3baf642db69a07e28e3aec2aec78bdd
SHA1

6a4e2ec7dce686c77f1751f7eac33a24be8fb9fe
SHA256

55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458
SHA512

f7b64d8536d15703e91b79ea64ec775191ddc7eabfb339ac33891b065a729ee0987f622a808c518ed2fffb9fa65f3df7b11b97e784e65ec7c918023ecdd8f3d2
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2g:cLjQC+bs0YOg

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2868 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

coguu.exesofoq.exe

pid process

1712 coguu.exe
1844 sofoq.exe
Loads dropped DLL 2 IoCs

Processes:

55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.execoguu.exe

pid process

2392 55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
1712 coguu.exe

pid	process
2868	cmd.exe

pid	process
1712	coguu.exe
1844	sofoq.exe

pid	process
2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
1712	coguu.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\coguu.exe	upx
behavioral1/memory/2392-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1712-19-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1712-25-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.execoguu.execmd.exesofoq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coguu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sofoq.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

sofoq.exe

pid	process
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe
1844	sofoq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.execoguu.exe

description	pid	process	target process
PID 2392 wrote to memory of 1712	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	coguu.exe
PID 2392 wrote to memory of 1712	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	coguu.exe
PID 2392 wrote to memory of 1712	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	coguu.exe
PID 2392 wrote to memory of 1712	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	coguu.exe
PID 2392 wrote to memory of 2868	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	cmd.exe
PID 2392 wrote to memory of 2868	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	cmd.exe
PID 2392 wrote to memory of 2868	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	cmd.exe
PID 2392 wrote to memory of 2868	2392	55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe	cmd.exe
PID 1712 wrote to memory of 1844	1712	coguu.exe	sofoq.exe
PID 1712 wrote to memory of 1844	1712	coguu.exe	sofoq.exe
PID 1712 wrote to memory of 1844	1712	coguu.exe	sofoq.exe
PID 1712 wrote to memory of 1844	1712	coguu.exe	sofoq.exe

C:\Users\Admin\AppData\Local\Temp\55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe
"C:\Users\Admin\AppData\Local\Temp\55234f7a9fae7d20d400e256b63f62cdec8a3007696c54a5863af7078a90a458.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\coguu.exe
  "C:\Users\Admin\AppData\Local\Temp\coguu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\sofoq.exe
    "C:\Users\Admin\AppData\Local\Temp\sofoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2b7661c6ec6638c59f7a18509f3936b4

SHA1
0279a4d9807dbf9100d521ad9b0c8f4cf208b221

SHA256
0ab1c3e8ea28e13154fa6cece24d8a3b8d3e2643f249be2738edb004da0b810f

SHA512
e646a5869cbfc5b1abd4156b2458556f54f51bdfc42567783b264b52da750787b0dab6d72a141a89511019949581d118d75a9da70baf3045b94527e05f5de963

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5e4947d06473d26b2a11a1ff3dc1c07f

SHA1
fd9d37d42220db22e1f5f02e527bd42181fea46c

SHA256
5d925f74154e0804ffaa385458a8e4b5d2695e9a8d4f69ef79ebb7ea2bee840b

SHA512
eb9a310fd1970a15d40661212f5a12bf3ab116327385192cae643a30e801f0b0c7b9a0458517ab212c617cda6521fec1a388a6500d4f0b3efb955ad0e3fe6a76

Download Submit
\Users\Admin\AppData\Local\Temp\coguu.exe

Filesize
536KB

MD5
177a444e8786a892a32e13c0ed97a0f6

SHA1
b71b886c0ccc074d7cc794b8bdfd63d8bbb7a756

SHA256
a31339a904a373c5d9d03f5e52df4ccd8ca421f1ecbb46b272d7eae0138f45cf

SHA512
c5e1de0a6b6c84326a5c31fe8fcd49c7a116a1b27fa1ca97fbab39c4e0590a4473496b8805a3b88241dddd6151e0be7f2c17180e5b22be1abdab83623b2f0b5a

Download Submit
\Users\Admin\AppData\Local\Temp\sofoq.exe

Filesize
241KB

MD5
e2d4639c8e53731235e402b2a7ad1116

SHA1
2b65c1857dced14df8d5a11c08c3c5bbbed6c765

SHA256
4b67aa475e5072bb1b709adb4410c0d2fa159c7b3f3bac4c70cf609580b6b761

SHA512
043bd1ec00aa0201b141393805335141fe1c277379588fdf1006634e5990cc2013cee89c444bf0f8e654d382dea6e5b9d7fb3d496bed7022d32ee48838a29ea4

Download Submit
memory/1712-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1712-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1844-27-0x0000000000FD0000-0x0000000001086000-memory.dmp

Filesize
728KB

Download
memory/1844-29-0x0000000000FD0000-0x0000000001086000-memory.dmp

Filesize
728KB

Download
memory/1844-30-0x0000000000FD0000-0x0000000001086000-memory.dmp

Filesize
728KB

Download
memory/2392-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2392-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads